On Sa, Feb 20, 2010 at 22:02:51 (CET), Michael Gilbert wrote: > package: ffmpeg > version: 0.svn20080206-18 > severity: serious > tags: security > > hi, i have just tested the latest ffmpeg update against the original > proof of concepts [0] reported in bug #550442 [1]. many of them are > still effective. there is some good news though; i've found that > upstream has addressed all of the problems in their latest svn version. > attached are my findings.
can you please rerun your tests using this branch: /srv/scratch/packages/ffmpeg/upstream/ffmpeg-0.5 I'm working on getting an 0.5.1 point release released RSN which will get into squeeze. Fixing these security bugs there is a higher priority for me than fixing 0.svn20080206-18. Unfortunately I'm very busy this week and cannot promise to work on that until next weekend. > reference [2] may be useful to track down the other needed patches; or > it may be easier to just upgrade to a new svn (however, the patches > still need to be determined for stable). I don't think its really worth tracking dos-only fixes. FFmpeg is very performance tuned, and AFAIUI upstream does consider dos-only fixes only on a best efford basis as long as it doesn't impair performance. crashers that allow remote code execution however are another issue that need to be investigated. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
